PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-24215 NVIDIA CVE debrief

On 2026-05-20, NVIDIA disclosed CVE-2026-24215 affecting Triton Inference Server’s DALI backend. The issue is classified as uncontrolled resource consumption (CWE-400) and can lead to denial of service. The published CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H, so the primary impact is availability rather than confidentiality or integrity. NVD’s affected CPE criteria marks nvidia:triton_inference_server versions before 26.03 as vulnerable.

Vendor
NVIDIA
Product
Triton Inference Server
CVSS
MEDIUM 5.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

Teams operating NVIDIA Triton Inference Server, especially platform, ML infrastructure, and SRE/operations teams responsible for shared or exposed inference services. Pay closest attention to deployments running versions before 26.03.

Technical summary

The supplied record describes an uncontrolled resource consumption condition in Triton Inference Server’s DALI backend. Per the CVSS vector, exploitation requires network access, low privileges, and user interaction, and the stated impact is high availability loss with no indicated confidentiality or integrity impact. The NVD record identifies CWE-400 and limits the vulnerable scope to versions before 26.03.

Defensive priority

Medium priority. Treat as a service-availability risk and accelerate remediation if Triton Inference Server is internet-facing, multi-tenant, or operationally critical. Otherwise, include it in the next normal patch cycle while validating affected version scope.

Recommended defensive actions

  • Inventory all NVIDIA Triton Inference Server deployments and confirm whether any instance is running a version before 26.03.
  • Review the NVIDIA PSIRT advisory and apply the vendor’s recommended update or mitigation path when available.
  • Restrict exposure of Triton endpoints to trusted networks and authenticated users where possible.
  • Monitor for abnormal CPU, memory, thread, worker, or request-queue growth that could indicate resource exhaustion.
  • Apply rate limiting, quotas, or isolation controls around workloads that use the DALI backend to reduce denial-of-service impact.

Evidence notes

Source corpus indicates the CVE was published and modified on 2026-05-20. NVD lists vuln status as Analyzed, weakness CWE-400, and CVSS 3.1 vector AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H. The affected CPE criteria in NVD marks cpe:2.3:a:nvidia:triton_inference_server:*:*:*:*:*:*:*:* as vulnerable with versionEndExcluding 26.03. Official references include the CVE.org record, the NVD detail page, and NVIDIA’s PSIRT advisory.

Official resources

NVIDIA PSIRT disclosed the issue on 2026-05-20. The CVE record and NVD entry were published the same day, and the NVD record was updated on 2026-05-20.